September 28, 1996

Hacker Zaps Tens of Thousands
Of Postings on Usenet System

Thousands of people with something to say on the Internet's Usenet newsgroup system were silenced this week by a rogue program, perpetrated upon the global network by a hacker armed with what experts said were relatively basic programming skills.

A simple, practical software tool is wielded as a weapon.

But despite the simplicity of the attack -- or perhaps because of it -- they added, there is apparently no remedy short of reposting every deleted message. And at least one official of the Federal Bureau of Investigation said Friday that although a suspect had been identified, no federal law had been broken.

In fact, one expert said Friday that such attacks were commonplace on a smaller scale and that the only thing unusual about this attack was the large number of postings deleted - estimated at one point to be more than 25,000 messages.

The attack, carried out on Sept. 22, involved a program called a "cancelbot" that scoured Usenet newsgroups for postings about a wide range of subjects, including women, religion, sex and computing, then issued commands to delete them from every newsgroup server on which they appeared.

The attack was traced to a customer of Cottage Software, Inc., a small Tulsa, Okla.,-based Internet service provider, which discovered the program on one of its servers during a routine check and investigated.

We don't have a case. I don't think we're going to be getting involved in the matter.

James M. Hawkins,
FBI's Tulsa, Okla., office

"We allow clients to run programs on our server, but only after they receive permission from us," said William Brunton, president of Cottage Software.

Brunton said that the offending program had not been authorized and that upon inspecting it, Cottage Software had uncovered its destructive nature. But by then it was too late. Brunton said that the program had already been sent on to Galaxy Star Systems, which provides Cottage Software with its Usenet news feeds, and had spread from there out to the entire Internet.

Brunton said that Cottage Software immediately terminated the offending account and notified the local FBI office about the accountholder's activities. But Brunton said of local FBI agents, "It didn't seem like they were really excited about what had happened."

James M. Hawkins, the supervising agent at the FBI's Tulsa office, confirmed Brunton's account, adding: "We don't have a case. I don't think we're going to be getting involved in the matter."

Hawkins also said that his office had contacted the local United States Attorney's office about the Usenet attack and had been told that no law had been broken.

Randall Edgmon, a spokesman for the United States Attorney for the Northern District of Oklahoma, said his office "can't confirm or deny anything" about the Usenet incident or its legal ramifications.

William Cheswick, an Internet security expert at Lucent Technologies in Murray Hill, N.J., said that cancelbots were very easy to create. They're simple programs that upload new messages, containing commands to cancel other messages, to a server that collects and distributes newsgroup postings.

This is not rocket science. There's no security.

William Cheswick
Lucent Technologies

Cancelbots have been used for about 10 years by system administrators to block excessively posted messages from propagating in the Usenet system. And they have also been used occasionally by some users with personal vendettas against other users, Cheswick said.

"This is not rocket science," he said, adding that anybody can cancel any message. "There's no security. . . . This sort of stuff happens all the time."

He explained that Usenet postings are read by a host server as a batch and can be fed through the cancelbot program, which then creates "cancel messages" matched to each posting. The program sends the cancel messages back to the computer that sent the original batch, Cheswick said, and from there the cancel messages are distributed to other news hosts throughout the Internet. It could take several days for the cancel messages to span the world, he said.

Cheswick also said that there was no practical defense against cancelbots, which were originally devised by well-meaning programmers to deal with abusive Usenet users. A big part of the loophole, he said, is the huge number of messages that pass through Usenet hosts at any moment. Each message on the host computer is a discreet file, and a typical host might see hundreds of thousands of messages a day, adding up to 2.5 gigabytes of data, the equivalent of "about 2,000 novels," he said.

On a lighter note, Cheswick said: "Frankly, I'm not going to spend a minute worrying about it. This is so minor and has been going on for so long, I'm surprised we're even talking about it."

Home | Sections | Contents | Search | Forums | Help

Copyright 1996 The New York Times Company